Chapters

36 Chapters | 3:44:20 |

01

Setup & Ways to Extend API Platform

4:39
02

State Providers, Processors & a Custom Field

4:49
03

Decorating the Core State Provider

4:47
04

Decorating the CollectionProvider

7:12
05

Simpler State Processor

5:47
06

Running Code "On Publish"

6:05
07

Totally Custom Resource

4:19
08

Custom Resource State Provider

5:04
09

Using a Custom (Date) Identifier

7:35
10

Custom Resource Item Provider

3:26
11

Custom Resource State Processor

6:48
12

Relating Custom ApiResources

5:13
13

Embedding Custom DTO's

4:47
14

Pagination on a Custom Resource

8:18
15

User Class Dto

4:24
16

stateOptions + entityClass Magic

10:07
17

Entities, DTO's & The "Central" Object

6:24
18

Provider: Transforming Entities to DTOs

4:47
19

Entity -> DTO Item State Provider

4:11
20

DTO -> Entity State Processor

7:39
21

Leveraging the Core Processor

7:11
22

Controlling Fields without Groups

4:31
23

Other Conditional Field Strategies

6:04
24

DTO Validation & Security

6:13
25

MicroMapper: Central DTO Mapping

10:11
26

Reusable Entity->Dto Provider & Processor

4:11
27

Quick! Create a DragonTreasure DTO

9:51
28

Dtos, Mapping & Max Depth of Relations

8:05
29

Making DragonTreasureApi Writable

7:23
30

DTO & Security

9:39
31

Field Security with Patch

6:17
32

Triggering a "Publish"

4:14
33

Writable Relation Fields

5:09
34

Writing to a Collection Relation

5:08
35

Writable Collection via the PropertyAccessor

6:29
36

Simpler Validator for Checking State Change

7:23

> APIs > API Platform 3 Part 3: Custom Resources

Buy Access to Course

10.

Custom Resource Item Provider

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Let's try to get a single item. I'll change the date, hit "Execute", and... 200 status code. Hold your horses... this is returning a collection: the exact same data as our collection endpoint!

Collection vs Item Operations

Ok, each operation can have its own provider. But when we put provider directly under #[ApiResource], this becomes the provider for every operation. That's peachy... given you don't forget that some operations fetch a collection of resources while other fetch a single item.

Inside our provider, the $operation helps us know the difference. dd() that...

            Copy Code

                            Show All Lines

                        34 lines
            |
            src/State/DailyQuestStateProvider.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class DailyQuestStateProvider implements ProviderInterface
        
            {
        
                public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
        
                {
        
                    dd($operation);
        
                Show Lines

                                                    // ... line 15
                            
                }
        
                Show Lines

                                                    // ... lines 17 - 32
                            
            }

Then, over here, copy the URL, paste it in a new tab and add .jsonld to the end. There we go! This is a Get operation. If we try to fetch the collection, it's GetCollection.

Back in the provider, if ($operation instanceof CollectionOperationInterface), return $this->createQuests().

            Copy Code

                            Show All Lines

                        38 lines
            |
            src/State/DailyQuestStateProvider.php
        
                Show Lines

                                                    // ... lines 1 - 4
                            
            use ApiPlatform\Metadata\CollectionOperationInterface;
        
                Show Lines

                                                    // ... lines 6 - 10
                            
            class DailyQuestStateProvider implements ProviderInterface
        
            {
        
                public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
        
                {
        
                    if ($operation instanceof CollectionOperationInterface) {
        
                        return $this->createQuests();
        
                    }
        
                Show Lines

                                                    // ... lines 18 - 19
                            
                }
        
                Show Lines

                                                    // ... lines 21 - 36
                            
            }

Below, we know this is an "item" operation.

URI Variables

So this does keep the collection operation working. Now, we need a way to extract the date string from the URL so we can find the one quest that matches. How can we get that? dd($uriVariables).

            Copy Code

                            Show All Lines

                        38 lines
            |
            src/State/DailyQuestStateProvider.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
                public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
        
                {
        
                Show Lines

                                                    // ... lines 15 - 18
                            
                    dd($uriVariables);
        
                }
        
                Show Lines

                                                    // ... lines 21 - 38

When we refresh... behold: there's a dayString inside! Notice that, in DailyQuest, we never configure what the URL should look like. You can do that, but by default, API Platform automatically figures out what the route and URL should look like. Run:

php bin/console debug:router

For the item endpoints, it's /api/quests/{dayString}: the dayString is a wildcard in the route. In the provider, $uriVariables will contain every variable part of the URI - so dayString in our case. That makes us dangerous.

Returning a Single Items

Down here, we need to return a single DailyQuest or null. Say $quests = $this->createQuests(), then return $quests[$uriVariables['dayString']] or null if it's not set.

            Copy Code

                            Show All Lines

                        40 lines
            |
            src/State/DailyQuestStateProvider.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
                public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
        
                {
        
                Show Lines

                                                    // ... lines 15 - 18
                            
                    $quests = $this->createQuests();
        
                    return $quests[$uriVariables['dayString']] ?? null;
        
                }
        
                Show Lines

                                                    // ... lines 23 - 40

Remember: this works because the array uses dayString for each key. In a real app, we would want to do this more efficiently: it doesn't make sense to load every quest... just to return one. But for our test app, this will work fine.

Ok, try that endpoint. Got it! One result. And if we try a random date that doesn't exist... like "2013"... we get a 404. API Platform sees that we returned null and it handled the 404 for us.

We are now the proud parents of a fully functional state provider! Though we'll talk about this more soon - including topics like pagination. But next: let's shift our focus to creating a state processor for our custom resource.

4 Comments

Sort By

Joe-L 8 months ago

Hi,

I'm working on an api with a State Provider and Voter, I'm finding that the provider is invoked before the voter. This leads to some odd results, 404 instead of 401. In the API Platform doc's I can see that providers are invoked by ReadListener event, and debugging my projects kernel.request (bin/console debug:event-dispatcher kernel.request) I can see DenyAccessListener is next in the ordering.

Is there a way I invoked my Voter before the State Provider?

Thanks

| Reply |

weaverryan SFCASTS Joe-L 8 months ago

Hey @Joe-L!

Hmm. Assuming you're talking about a voter used in a context like this:

new Patch(security: 'is_granted("EDIT", object)')

Then you're totally right... and the problem is that the provider must be invoked first so that the object is available to be passed to the voter.

You said that you're hitting a 404 instead of a 401? Is that because your provider contains the logic to filter down and only return the correct record(s) based on your security rules? If so, for the item operation, if you need a 401, I would stop doing that, allow the object to be found and then let your voter do its work.

But maybe you have some more complex requirements. Let me know!

Cheers!

| Reply |

Joe-L weaverryan 8 months ago

Hi Ryan,

I have a provider to retrieve data from an external source (in this case S3), and want to add security to limit who has access to this endpoint.

If a request is made with a bad id and by a user who doesn't meet the requirements in the voter, then a 404 is return. In my opinion this would suggest the user has access but has provided the wrong id. Is there a different solution I should be using when I want to limit the API access regardless of the content in the response? In this case we're potentially making unnecessary requests to our external source, we'd like to mitigate this as much as possible.

Many thanks

| Reply |

weaverryan SFCASTS Joe-L 7 months ago

Hey @Joe-L!

Sorry for the slow reply - life hit :)

If a request is made with a bad id and by a user who doesn't meet the requirements in the voter, then a 404 is return

I see - the provider does its job and THEN if successful the voter is called. There's really nothing wrong with adding some security code into the provider itself. If you want to trigger a 403, I think you can just throw an AccessDeniedException and that'll throw you into the normal 403 flow.

Let me know if that helps!

Cheers!

| Reply |

Symfony 6.3 API Platform 3

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "3.1.x-dev", // 3.1.x-dev
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.10.2
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.4
        "doctrine/orm": "^2.14", // 2.16.1
        "nelmio/cors-bundle": "^2.2", // 2.3.1
        "nesbot/carbon": "^2.64", // 2.69.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.23.1
        "symfony/asset": "6.3.*", // v6.3.0
        "symfony/console": "6.3.*", // v6.3.2
        "symfony/dotenv": "6.3.*", // v6.3.0
        "symfony/expression-language": "6.3.*", // v6.3.0
        "symfony/flex": "^2", // v2.3.3
        "symfony/framework-bundle": "6.3.*", // v6.3.2
        "symfony/property-access": "6.3.*", // v6.3.2
        "symfony/property-info": "6.3.*", // v6.3.0
        "symfony/runtime": "6.3.*", // v6.3.2
        "symfony/security-bundle": "6.3.*", // v6.3.3
        "symfony/serializer": "6.3.*", // v6.3.3
        "symfony/stimulus-bundle": "^2.9", // v2.10.0
        "symfony/string": "6.3.*", // v6.3.2
        "symfony/twig-bundle": "6.3.*", // v6.3.0
        "symfony/ux-react": "^2.6", // v2.10.0
        "symfony/ux-vue": "^2.7", // v2.10.0
        "symfony/validator": "6.3.*", // v6.3.2
        "symfony/webpack-encore-bundle": "^2.0", // v2.0.1
        "symfony/yaml": "6.3.*", // v6.3.3
        "symfonycasts/micro-mapper": "^0.1.0" // v0.1.1
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.4
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.11
        "symfony/browser-kit": "6.3.*", // v6.3.2
        "symfony/css-selector": "6.3.*", // v6.3.2
        "symfony/debug-bundle": "6.3.*", // v6.3.2
        "symfony/maker-bundle": "^1.48", // v1.50.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.3.2
        "symfony/stopwatch": "6.3.*", // v6.3.0
        "symfony/web-profiler-bundle": "6.3.*", // v6.3.2
        "zenstruck/browser": "^1.2", // v1.4.0
        "zenstruck/foundry": "^1.26" // v1.35.0
    }
}

Previous Chapter

Next Chapter

Custom Resource Item Provider

Share this awesome video!

Keep on Learning!

Collection vs Item Operations

URI Variables

Returning a Single Items

4 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 9
	class DailyQuestStateProvider implements ProviderInterface
	{
	public function provide(Operation $operation, array $uriVariables = [], array $context = []): object\|array\|null
	{
	dd($operation);
Show Lines	// ... line 15
	}
Show Lines	// ... lines 17 - 32
	}

Show Lines	// ... lines 1 - 4
	use ApiPlatform\Metadata\CollectionOperationInterface;
Show Lines	// ... lines 6 - 10
	class DailyQuestStateProvider implements ProviderInterface
	{
	public function provide(Operation $operation, array $uriVariables = [], array $context = []): object\|array\|null
	{
	if ($operation instanceof CollectionOperationInterface) {
	return $this->createQuests();
	}
Show Lines	// ... lines 18 - 19
	}
Show Lines	// ... lines 21 - 36
	}

Show Lines	// ... lines 1 - 12
	public function provide(Operation $operation, array $uriVariables = [], array $context = []): object\|array\|null
	{
Show Lines	// ... lines 15 - 18
	dd($uriVariables);
	}
Show Lines	// ... lines 21 - 38